Beginning in V5.5, IBM Connections supports the use of Cross-Origin Resource Sharing (CORS). CORS allows Connections administrators to configure trusted web sites where third-party apps can send secure calls to the Connections REST APIs. The Connections administrator can also provide an optional configuration to customize the CORS response headers to support various deployment scenarios.

To add a web site to IBM Connections CORS trusted list, complete the following steps:

1. On the deployment manager node, check out the LotusConnections-config.xml file.

2. In the file, locate the property called CORS.Trusted.Websites.

3. Add the web site domain name to this property. To add multiple web sites, separate the domain names with commas; for example:

All of a trusted domain's sub-domains will also be trusted. For the previous example, app.mycompany1.com will be trusted because its parent domain mycompany1.com is trusted.

If the same domain runs on multiple ports, each instance must be added to the list. For example, if a service is running on mycompany1.com:9080, that domain and port must be added to the list in order to allow the service on port 9080 to call Connections APIs through CORS.

4. Optionally define a custom response header.

The CORS specification has an option to expose the HTTP response header so that the client can access it. By default, a web browser implementing CORS will only allow the following headers:

Most IBM Connections API clients will need to access additional headers (for example, the Location header) to ensure they are redirected to the correct URL. By default, the IBM Connections CORS implementation allows the following extended headers to be accessed by browsers:

In the case of a complex deployment that produces a header not included in the list, IBM Connections allows system administrators to define their own HTTP headers. The approach is similar to the CORS configuration: the headers list is defined through another generic property in the LotusConnections-config.xml configuration file, called CORS.Expose.Headers. Administrators can add the HTTP response headers in this setting, using commas to separate them. For example, the following setting defines three new headers: